September 23, 2005

Absurd NEW Functionality in Windows 2003

Honestly, this one just makes me mad.

Windows 2003 Server. IIS configured to serve a site out of D:\Webs\mySite\.

In order to ensure that IIS/ASP.NET can serve that site, I've configured
everything as needed:IUSR_<machine_name> and IIS_WPG both have
read perms (plus I've given NT AUTHORITY\NETWORK SERVICE write access to the
Temp ASP.NET files folder in the applicable version of the Framework (in my case
2.0)). AND (heaven's to betsy... ) because I need to be able to use the
FileSystem, and OPEN a file in my web, I've granted NT AUTHORITY\NETWORK SERVICE
modify on a directory where needed.

That's a lot of security mumbo jumbo when you think about it
but I'm NOT griping about THAT (though somebody
should).

I'm griping about what happens when I create a new folder on my desktop
called test (drop a sample .aspx into it, etc.), and then COPY/PASTE that into
my D:\Webs\mySite\ directory. If I then open a browser and point it at the
/test/ directory, I get prompted for my credentials.

Yup. Sure enough. Check the ACLS, and IUSR_<machine_name> and IIS_WPG
haven't inherited credentials in that directory - they're completely NOT
permitted into a child directory where they've been granted access on the
parent.

What gives (And this isn't just an IIS thing.) I understand the whole notion
of traverse checking, but that's actually a different notion (goes the OTHER way
around, is truly a security concern). This... this is what How does this make
me more secure, or safe

Let's look at it this way: If I have a directory called \Financial
Docs\, and I've granted Bob in cubicle 37 access to read that directory, and
then paste in \September2005\ as a child directory - Bob can't read that
directory until I expressly ACL him

Somebody tell me how that makes sense. Seriously, if I don't want Bob to read
that directory then I won't drop it into the share (an EXPLICIT action on my
part) - or I'll make sure to DACL him.

Likewise, if I don't want anonymous web users browsing the /underwear/
directory that I drop into my site, I'll DACL that in similar fashion.

I REALLY WANT to be WRONG here. But I've tested it a few times and the
results are always the same. What gives And which service pack screwed
me

That sounds like a logical solution. It just bugs me that when I add a folder somewhere that it doesn't inherit perms by default. (i.e. If I were storing photo albums in a 'shared' directory, and drug a new album in there, it wouldn't, by default, inherit the perms I had already set up. That's just unacceptable to me.)